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Just 48 hours after banks and government websites crashed in Ukraine under 
the weight of a concerted cyberattack on February 15 and 16, the United 
States pointed the finger at Russian spies. 


Anne Neuberger, the White House’s deputy national security advisor for 
cyber and emerging technology, said that the US has “technical 
information that links the Russian Main Intelligence Directorate (GRU)” 


with the DDoS attack that had overloaded and brought down the 
Ukrainian websites. 


Advertisement 


“GRU infrastructure was seen transmitting high volumes of 
communication to Ukraine-based IP addresses and domains,” she told 
journalists on February 18. It’s believed that the cyberattack was meant to 
sow panic in Ukraine as over 150,000 Russian troops massed at the border. 
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The speed at which both US and UK officials were able to apportion blame 
reflects an enormous change from recent history, and it shows how 
attribution has become a crucial tool of cyber conflict for the United States. 
In recent years, the US has used this as a geopolitical tool more often than 
any other country in the world, often working with allies in the United 
Kingdom—especially when the target is Russia, as was the case last week. 


“T will note that the speed with which we made that attribution is very 
unusual,” Neuberger said. “We’ve done so because of a need to call out the 
behavior quickly as part of holding nations accountable when they conduct 
disruptive or destabilizing cyber activity.” 


This new policy has its roots in what happened in the wake of the 2016 US 
election. Gavin Wilde, formerly a senior National Security Council official 
focused on Russia, helped author the landmark intelligence community 
assessment that detailed Moscow’s hacking and disinformation campaigns 
aimed at influencing the election. It took an enormous effort prompted by 
President Obama himself, backed up by Director of National Intelligence 
James Clapper, just to kick-start the process of getting all the relevant US 
intelligence agencies in the same room to share information across a wide 
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But the attribution of Russia’s campaign wasn’t made public until 2017, 
months after the US election itself. 


https://www.technologyreview.com/2022/02/21/1046087/russian-hackers-ukraine/?truid=b755c73d5/7ae0e/742e3c86dcd96bd3f6&utm_source=th... 3/11 


2/23/22, 4:24 AM The US is unmasking Russian hackers faster than ever | MIT Technology Review 





THE DOWNLOAD 


Sign up for your daily dose of what's up in emerging technology. 
Enter your email 


Sign up 


(_} Get updates and offers from MIT Technology Review 


By signing up, you agree to our Privacy Policy 


“There was a feeling of helplessness }among US intelligence| when clearly 
the American public was the target audience for the Russians,” Wilde tells 
MIT Technology Review. 


Even though it came late, the assessment was an impressive 
accomplishment compared with anything that had come before. 


“But there was still a sense of failure that we weren’t able to defuse these 
activities before the narratives were well seeded by the Russians and 
amplified by people in positions of prominence,” Wilde says. 


The long road 

Hacking was an important facet of global politics for decades before public 
attribution was ever seriously considered. But a landmark cybersecurity 
report from a private-sector firm, which landed on the front page of the 
New York Times, finally changed the way the entire world thought about 
unmasking hackers. 


The 2013 report on Chinese hackers known as APTI by the American 
cybersecurity firm Mandiant was the first to publicly point the finger at a 
nation-state. It took a full decade of hacking by the group, beginning in 
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Liberation Army cyber-espionage group 
known as Unit 61398. A year later, the 
US Department of Justice effectively 
backed up the report when it indicted 





five officers from the unit on charges of 


Ukraine could ripple out hacking and stealing intellectual 
globally 





property from American companies. 
Soldiers and tanks may care about 


national borders. Cyber doesn't. 
“The APT1 report fundamentally 


changed the benefit-risk calculus of the 
attackers,” says Timo Steffens, a German cyber-espionage investigator and 
author of the book Attribution of Advanced Persistent Threats. 


“Prior to that report, cyber operations were regarded as almost risk-free 
tools,” he says. The report not only came up with hypotheses but clearly 
and transparently documented the analysis methods and data sources. It 
was Clear that this was not a one-off lucky finding, but that the tradecraft 
can be applied to other operations and attacks as well.” 


The consequences of the headline-grabbing news were far reaching. A 
wave of similar attributions followed, and the United States accused China 
of systematic massive theft. As a result, cybersecurity was a centerpiece of 
Chinese president Xi Jinping’s visit to the United States in 2015. 


“Before the APT1 report, attribution was the elephant in the room that no 
one dared to mention,” says Steffens. “In my opinion it was not only a 
technical breakthrough, but also a bold achievement of the authors and 
their managers to go the final step and make the results public.” 


It’s that final step that has been lacking, as intelligence officers are now 

well versed in the technical side. To attribute a cyberattack, intelligence 

analvsts look at a range of data including the malware the hackers used. the 
MIT Technology Review 
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(who stands to gain?)—a geopolitical analysis of strategic motivation 
behind the attacks. 


The more data can be examined, the easier attribution becomes as patterns 
emerge. Even the world’s best hackers make mistakes, leave behind clues, 
and reuse old tools that help make the case. There’s an ongoing arms race 
between analysts coming up with new ways to unmask hackers and the 
hackers aiming to cover their tracks. 


But the speed with which the Russian attack was attributed showed that 
previous delays in naming names were not simply due to a lack of data or 
evidence. The issue was politics. 


“It boils down to a matter of political will,” says Wilde, who worked at the 
White House until 2019. “For that you need decisive leadership at every 
level. My interactions with |Anne Neuberger| lead me to believe she’s the 
type that can move mountains and cut through red tape when needed to 
augur an outcome. That’s the person she is.” 


Wilde argues that the potential Russian invasion of Ukraine, which risks 
hundreds of thousands of lives, is pushing the White House to act more 
quickly. 


“The administration seems to have gathered that the best defense is a good 
preemptive offense to get ahead of these narratives, ‘pre-bunking’ them 
and inoculating the international audience, whether it be the cyber 
intrusions or false flags and fake pretexts,” says Wilde. 


Public attribution can have a very real impact on adversaries’ cyber 
strategy. It can signal that they’re being watched and understood, and it 
can impose costs when operations are uncovered and tools must be 
burned to start anew. It can also trigger political action such as sanctions 
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Just as important, Gavin argues, it’s a signal to the public that the 
government is closely tracking malicious cyber activity and working to fix 
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it. 


“It creates a credibility gap, particularly with the Russians and Chinese,” 
he says. “They can obfuscate all they want, but the US government is 
putting it all out there for public consumption—a forensic accounting of 


their time and efforts” T 
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